Securing Your Network, One Zone at a Time

As corporations implement compliance with various regulations such as Sarbanes-Oxley, they find that they end up with different zones within their network that can't talk to each other.

This makes it difficult to implement an enterprise security solution. Adding virtualization to the mix complicates things further.

Apani Networks has come up with a solution to this: EpiForce VM.

EpiForce VM

Launched at the RSA Security Conference held last week at San Francisco's Moscone Center, EpiForce VM is a software-based solution that lets enterprises isolate both virtual and physical servers and endpoints as well as business-critical data into logical security zones regardless of what platform they run on or where they are physically on the network.

"We don't care if you're running on legacy systems or Windows or Solaris or a virtual platform, you should be able to isolate your servers and PCs into zones of like-minded computers," Ryan Malone, Apani's vice president of marketing , told TechNewsWorld.

"We control communications between zones and within the zones themselves," he added, saying that this is "an alternative to traditional network segments and virtual local area networks."

How It Works

EpiForce VM came out of research done at the National Security Agency. It is IPSec-based and is deployed at the network layer so "it is transparent to your existing network, to your applications and to your users," Malone said. IPSec, or Internet protocol security, is a suite of protocols for securing IP communications by authenticating or encrypting each IP packet in a data stream, or doing both.

So, all communications between zones is controlled by authentication of all machine-to-machine traffic and encryption based on policies set by the user and accessed on demand.

All machines in the same logical zone, whether they run the same operating system, or are physical or virtual, will remain connected regardless of their physical location. "You can take a physical machine and convert it to a virtual machine, or physically relocate a machine, and it will still be connected to others in the same logical zone," Malone said.

That's because EpiForce VM uses IPSec agents. "Instead of having links between IP addresses (a server's or desktop's location on the Internet), we have IPSec agent to IPSec agent, so we can have persistent connectivity," Malone explained.

Managing EpiForce VM

The application comes with its own centralized console and 30 canned reports.

Alternatively, it can be integrated into existing network management applications. "If you have, say, HP (NYSE: HPQ) OpenView and you want to use Syslog to read your reports, EpiForce will write the reports to Syslog," Malone said.

Syslog is a standard for forwarding log messages in an IP network.

EpiForce VM will be available in the second quarter of this year, and will initially support VMWare ESX Server.

VMWare ESX Server users will be able to migrate virtual machines protected by EpiForce VM between physical hosts without disrupting existing security policies.